In the July memo, which was “for official use only” and therefore not widely circulated, DHS said “industry reporting” showed that 44 percent of Android users were “still using versions 2.3.3. through 2.3.7 of the OS – known as “Gingerbread” – which were released in 2011 and carried a number of security flaws that were repaired in subsequent versions.

“The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OS[es] patched and up-to-date,” the notice said.

DHS cited three threats to those carrying devices with obsolete Android OSes and outlined a mediation tactic:

SMS Trojans

Text message Trojans account for about half of the malware on older Android devices, DHS said. A common exploit sends texts to premium rate phone numbers owned by criminals and results in high charges to the user. Security suites are now available to knock out the threat, according to the memo.

Rootkits

This is hidden malware that logs a user’s locations, keystrokes or passwords without the user’s knowledge. DHS recommended installing the Carrier IQ test free app that can find and remove the malware.

Fake Google Play domains

Users should install and update antivirus software to knock out these exploits, which trap users into installing apps that let hackers get at financial data and log-in credentials, DHS warned.